CVE-2014-7810

Published: 07 June 2015

The Expression Language (EL) implementation in Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.58, and 8.x before 8.0.16 does not properly consider the possibility of an accessible interface implemented by an inaccessible class, which allows attackers to bypass a SecurityManager protection mechanism via a web application that leverages use of incorrect privileges during EL evaluation.

From the Ubuntu security team

It was discovered that the Tomcat Expression Language (EL) implementation incorrectly handled accessible interfaces implemented by inaccessible classes. An attacker could possibly use this issue to bypass a SecurityManager protection mechanism.

Priority

Medium

Status

Package Release Status
tomcat6
Launchpad, Ubuntu, Debian 		Upstream
Released (6.0.41-3)
Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 ESM (Xenial Xerus)
Released (6.0.45+dfsg-1)
Ubuntu 14.04 ESM (Trusty Tahr)
Released (6.0.39-1ubuntu0.1)
Patches:
Upstream: http://svn.apache.org/viewvc?view=revision&revision=1645366
Upstream: http://svn.apache.org/viewvc?view=revision&revision=1659538
tomcat7
Launchpad, Ubuntu, Debian 		Upstream
Released (7.0.61-1)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(7.0.61-1)
Ubuntu 16.04 ESM (Xenial Xerus) Not vulnerable
(7.0.61-1)
Ubuntu 14.04 ESM (Trusty Tahr)
Released (7.0.52-1ubuntu0.3)
Patches:
Upstream: http://svn.apache.org/viewvc?view=revision&revision=1644019
Upstream: http://svn.apache.org/viewvc?view=revision&revision=1645644
tomcat8
Launchpad, Ubuntu, Debian 		Upstream
Released (8.0.21-2)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(8.0.22-2)
Ubuntu 16.04 ESM (Xenial Xerus) Not vulnerable
(8.0.22-2)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

References

Bugs

Join the discussion

Canonical is offering Extended Security Maintenance

Canonical is offering Ubuntu Extended Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›

Further reading